Security Considerations

Applies To: Operations Manager 2007 R2

The Monitoring Pack for Windows Azure Applications creates three Run As profiles:

  • Windows Azure Run As Profile Blob

  • Windows Azure Run As Profile Password

  • Windows Azure Run As Profile Proxy

You must create Run As accounts for Windows Azure Run As Profile Blob and Windows Azure Run As Profile Password. The account for Windows Azure Run As Profile Blob stores the certificate with the private key for the Windows Azure application. The account for Windows Azure Run As Profile Password stores the password for the private key.

Creating an account for Windows Azure Run As Profile Proxy is optional. The account for Windows Azure Run As Profile Proxy stores credentials for access to the HTTP proxy server that is used to make API calls to Windows Azure. For more information about how to create a Run As account, see How to Create a Run As Account in Operations Manager 2007 (https://go.microsoft.com/fwlink/?LinkID=165410).

When you complete the Create Run As Account Wizard, the completion page notifies you that you must associate the Run As Account with an appropriate Run As profile. The Add Monitoring Wizard will associate the Windows Azure Run As Profile Blob and Windows Azure Run As Profile Password profiles with the accounts that you specify. If you create a Run As account for Windows Azure Run As Profile Proxy, you must manually associate the Windows Azure Run As Profile Proxy profile with the account that you create. For more information about how to associate a Run As account with a Run As profile, see How to Modify an Existing Run As Profile (https://go.microsoft.com/fwlink/?LinkID=165412).

Create the Run As accounts by using the values listed in the following table.

Field Value for account for Windows Azure Run As Profile Blob Value for account for Windows Azure Run As Profile Password Value for account for Windows Azure Run As Profile Proxy

Run As Account type

Binary Authentication

Basic Authentication

Windows Authentication

Credentials

For the Binary account file, browse to and select the certificate file for the Windows Azure application. You do not have to import the certificate on the agent proxy computer.

The certificate must be a .pfx file. To convert a .cer file to a .pfx file, you must import the certificate and then export it as a .pfx file. For information about importing certificates, see Authenticating Service Management Requests (https://go.microsoft.com/fwlink/?LinkId=200935). For information about exporting certificates, see Export a Certificate with the Private Key (https://go.microsoft.com/fwlink/?LinkId=203031).

Enter a user account and the password for the private key for the certificate. The Run As profile only requires the password, so you can enter any user name here.

Enter a user name and password that has permissions to the computer that will be used as the proxy agent. After you create this account, associate it with the Windows Azure Run As Profile Proxy profile.

When you create the Run As account, we recommend that you select the More secure setting for the distribution security option. When you configure discovery for the Windows Azure application, you specify a computer to act as proxy agent for the application and can distribute the account credentials to the proxy agent at that time.